The link in the email goes to marketing1.site hosted on 66.96.161.163 (Endurance International Group, US) and then redirects to a landing page at marketing1apps.net on 89.187.85.8 (Coreix, UK) which is just a gateway to marketing1.net on that same IP. The email comes from 87.253.234.168, a Mailjet IP in France.

As I mentioned previously, Marketing1.net are always having a closing down sale (but never close down) and if their sample data is anything to go by, it is complete crap. That's in addition to spamming domain contacts. Avoid.

The email originates from bosmailout13.eigbox.net [66.96.186.13] which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone.co.uk/invoice17731.doc which appears to be a hacked legitimate web site.

Detection rates have continued to improve throughout the day and currently stand at 10/47. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.

A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
feed404.dnsquerys.comfeeds.nsupdatedns.com

It is the same attack as described by Blaze's Security Blog and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
118.67.250.91158.255.2.60feed404.dnsquerys.comfeeds.nsupdatedns.comcustomer.invoice-appmy.comcustomers.invoice-appmy.orgcustomer.appmys-ups.orgfeed404.dnsquerys.orgfeed.queryzdnsz.orgstatic.invoice-appmy.comvantageone.co.uk

In the version I have the link doesn't work, but I believe that it goes to [donotclick]balckanweb.com/news/unpleasant-near_finally-events.php (report here) hosted or having nameservers on the following IPs:
5.231.24.162 (GHOSTnet, Germany)
71.107.107.11 (Verizon, US)
108.5.125.134 (Verizon, US)
198.50.169.2 (OVH, Canada)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
209.59.223.119 (Endurance International Group, US)

The domains and IPs indicate that this is part of the "Amerika" spam run.

facebookHi,Here's some activity you may have missed on Facebook.BERTIE Goldstein has posted statuses, photos and more on Facebook.Go To Facebook

See All NotificationsThis message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The malicious payload is at [donotclick]ipiniadto.ru:8080/forum/links/column.php (report here) hosted on the same IPs as used in this attack:

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.

Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)

Yours sincerely,

British Airways Customer Services

British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.

How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.

If you require further assistance you may contact us

If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

For the record, these are the registrars either hosting the domains or offering support services. It is possible that some have been taken down already.
5.9.40.136 (Hetzner, Germany)
41.72.150.100 (Hetzner, South Africa)
50.116.23.204 (Linode, US)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
212.180.176.4 (Supermedia, Poland)
213.215.240.24 (COLT, Italy)

You can use UPS .COM to:
Ship Online
Schedule a Pickup
Open a UPS .COM Account

Welcome to UPS Team
Hi, [redacted].

DEAR CUSTOMER , We were not able to delivery the post package

PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.

With best regards , UPS Customer Services.

________________________________________
Copyright 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the Your USPS Team brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
Please do not reply directly to this e-mail. USPS .us Customer Services will not receive any reply message. For questions or comments, visit Contact UPS.
We understand the importance of privacy to our customers. For more information, please consult the Your USPS Customer Services Privacy Policy.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.

There is an attachment UPS_ID5408466.htm which attempts to direct visitors to [donotclick]emmmhhh.ru:8080/forum/links/column.php hosted on:

If you need further assistance, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

Refunds for unused postage-paid labels can be requested online up to 7 days after the print date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is an automatically generated message. Please do not respond

The malicious payload is on indigocellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 209.59.218.102 (Endurance International, US). Blocking the IP will prevent other malware on the IP from being a threat.

Update: another current version of this spam redirects to jadecellular.com/showthread.php?t=73a07bcb51f4be71 on 72.249.104.75 (Networld Internet, US)

Thursday, 22 March 2012

Another load of LinkedIn Spam is doing the rounds, this time the payload is at cyancellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 209.59.217.78 (Endurance International, US) and also browncellular.com/showthread.php?t=d7ad916d1c0396ff hosted on 174.140.168.207 (Directspace, US)

Be on the lookout for other domains of a similar pattern, if you known of more then please consider adding a comment.. thanks!

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. Š 2010, LinkedIn Corporation.

The payload is at closteage.com/showthread.php?t=73a07bcb51f4be71 (report here) hosted on 209.59.217.101 (Endurance International, US). Blocking that IP will block any other malicious sites on the same server.

Thank you for buying your accounting software from Intuit Market. We have received it and will send you an e-mail when your order is processed. If you ordered several items, we may deliver them in more than one shipment (at no extra cost to you) to provide faster processing time.

If you have questions about your order, please call 1-800-955-8890.

ORDER INFORMATION

Please download your full invoice
id #221137087563 information at Intuit small business website.

NEED HELP?

Email us at mktplace_customerservice@intuit.com.
Call us at 1-800-955-8890.
Reorder Intuit Checks Quickly and Easily starting with
the information from your previous order.

To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.

Thanks again for your order,

Intuit Market Customer Service

Privacy , Legal , Contact Us , About Us

You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.

Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.

If you receive an email message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.

The malware is hosted on cogisunet.com/banner.php?aid=73a07bcb51f4be7 on 209.59.213.95 (Endurance International, US). The block 209.59.192.0/19 has a significant problem with malware at the moment, you may want to consider blocking IPs more widely.

Friday, 2 March 2012

The Spam Analysis blog has an excellent post analysing what is happening behind the scenes in the malware from some recent spam runs. I've taken their hard work and have broken out the domains and IP addresses that you may want to block.

Note that some of these sites may be legitimate hacked sites. Also 66.96.160.133 is a parking IP,, so there are several thousand other sites on the same address.